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Data Recovery Case Study 
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Data Recovery Case Study 
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Data Recovery Case Study 




Data Recovery Case Study 



The Result: 

"What was the result (after the repair) on 
Friday afternoon? 96.7% of the surface 
was successfully imaged. A couple days of 
logical recovery and we were able to 
provide over 55,000 files for evaluation in 
the case." 



J. A. 'Bud' Younke, MCP, MCSE, A+, CDRP 
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Something for Everyone! 



♦ I tried to use examples that even if you had seen my 
other presentations that this would be new stuff not 
covered before. Kinda like TRIVA for Hard Drives! 

♦ I also tried to include content from each OS so we 
can include Mac's / Linux / Windows / Solid State 
Drive users and all would find something to take 
away. 
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There is a better 
way to wipe! 



♦ You do not need some special 
software like DBAN to wipe your 
hard drive. The government built it 
into the drive and your controller 
for you! 

♦ The Center for Magnetic Recording 
Research (CMRR) is headed by 
Gordon Hughes, Associate Director 
of CMRR, USSD on the Secure Erase 
Initiative. 
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Why another program? 



♦ Current methods are really slow; software is slower 
than hardware. 

♦ Requires some other pieces of software (sometimes 
costly) to do a SECURED wipe and sometimes you 
don't have it with you. 

♦ Risk when the program does not complete or verify 
due to power failure or interruptions. 

♦ Most software does not get all blocks or wipe all 
sectors. 



So what is Secure Erase? 



♦ Secure Erase is an ANSI disk drive Standard built in the 
ATA command set. 

♦ Once the command is initiated it does not need software 
to run, it runs internally on the drive itself. 

♦ The Secure ATA delete command that wipes drives is in 
the controller on your motherboard and built in to your 
hard drive since 2001! 

♦ Erase using the DoD 5220 (Standard for Sanitation). The 
current ATA specification for Normal Erase mode states 
that the SECURITY ERASE UNIT command shall write 
binary zeroes to all user data areas. There is enhanced.. 

http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml 
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Secure Erase 



! It h required to set a p«sunrd to the HDD to per f on i t 

! SECURE EBHSE. ! 

! Setting HP security with the fo I lowing password: idriw& I 

! Set password comi«nd: Successful! : 
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• HflfftffttHHlll * ITU ■«*■**■ ■■■■■■■■•*■■««« # 

! Continuing will begin enhanced secure erase ! 



la gm wit to froCMiT J Ml) y 

hhmvi nau-lty eriie. . . 

Tte titlMlti lintloi of this pram ft: IS elutes 

TH ttcwrt triw tttrtad maitiMFiiM 09:55:39 



What is different? 



♦ A: Gordon Hughes, Associate Director of CMRR, 
USSD on the Secure Erase Initiative: 

"Secure erase is a means of erasing all data 
on a disk drive so the original user can be 
certain that it cannot be recovered, 

including data on reallocated blocks on 
the drive. It's electronic data shredding, 
and allows a user to safely sell or donate an 
old drive." 
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Bad Block Tables 
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States it meets DOD 



♦ Writing over the disk one 
time is all that is needed to 
make files unrecoverable. 
Not 35 times. The space 
between the tracks is so 
small that it virtually 
impossible to read, and in 
addition to that fact, data 
is stored in a cylinder and 
you would have to get 
snapshots with a magnetic 
force microscope of all the 
sides of all the platters 
before you could 
reassemble the data. 
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SE Wipe Widely Adopted 
Standard in 2004 

♦ At the ANSI T-13 Committee meeting in 2004, Gordon 
described the differences between block erase as 
described in government document DoD 2550 and 
Secure Erase. Unlike block level erase Secure Erase 
also overwrites reassigned blocks and can be up to 
eight times faster (per CMRR tests). 

♦ So the Secure Erase command qualifies for Federal 
Government secret data classification erasure. 

♦ Two editions; one in 2001 & second in 2004. 



Gordon States. . 



♦ ... that drives verify the block writes via their 
internal write fault detection hardware, 
avoiding a separate read verify pass. This 
speeds execution time, increasing user 
willingness to secure erase drives. 

♦ ...that for PROTECTION Secure Erase sets a 
password before erase that is release after 
completion. 
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Got Password? 



d password to the HDD to perfon a ! 



iitl) the fol loving password: id rive ! 
Successful! i 



Faster Process; 
We Secure Erased: 

•40 gig in 16 Minutes 
•500 gig in 2 Vi Hours 
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New File System 

♦ We have all heard/use these: 
♦ OS File Systems: 
♦Fat 12, Fati6, Fat32 

♦ EXT2, EXT3, Reiser, XFS 
♦NTFS 

♦HFS+ 

♦ Blah, Blah, Blah 
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New File System 

But have you heard of: 

Fat64?? 

otherwise 
know as exFat! 



Fat 64 



♦ exFAT is the Extended File Allocation Table 

♦ Introduced by Microsoft with Windows Embedded 
CE 6.0, and then introduced on desktops with 
Service Packi for Vista. 

♦ It is focused at making 
changes that are more 
effective on Flash and Solid 
State Devices. 
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What is good about Fat64? 



♦ Uses a free space bitmap, speeding up the 
performance of the deletion cycle, which is very 
important to solid state drives. 

♦ Support for more than 1000 files in a directory. 

♦ Support for ACL - but still not implemented in Vista. 

♦ Support for TFAT which is a Transaction orientated 
FAT system - also still not implemented in Vista. 

♦ File size changes from 4gigs to i6Exabytes. 
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Partitions 



Cylinder Structure 



♦ Placement of 
partitions affect 
speed of your 
DATA. 

♦ Partitions only 
begin on Cylinder 
Boundaries. 



CHS Translation Formula for LBA = ( (cylinder * 
heads_per_cylinder + heads ) * sectors_per_track ) + 
sector - 1 




Couple of things... 



♦ The outer edge of the disk is the fastest location for 
data on the hard drive. That section begins right 
after the first partition boundary. This is generally 
the lowest numbered Logical Block Addresses. 

♦ So the second partition cannot begin before the end 
of the first partition and is offset at the beginning of 
the next cylinder boundary. The next partition is 
(size x) Gigs into the disk according to the size you 
requested for the first partition + cylinder offset. 
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Cylinder Structure 



Alignment 
Sgrvalnfa\ 



Be ginning of Partition Structure 

yf Par irions only srart \ 




Where do Macintoshes 

store the Windows 

Partition? 
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Zone Tables 
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Another Angle: ZCAV 



♦ ZCAV is a Constant Angular Velocity Testing Tool. 

♦ This program is part of the Bonnie++ suite of hard 
drive testing programs. 

♦ The change from having the same number of 
sectors per a track created a new development 
called Zoned Tables. 

♦ The idea is that the drive is divided up so that the 
lower numbered sectors are the faster sectors so 
the zones are divided up according to their speed. 

http://www.coker.com. au/bonnie++/ 
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Zoned Constant Angular 
Velocity Test 
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Zoned Constant Angular 



Velocity Test 
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https://www.usenix.org/publications/library/proceeding s / 
ana97/full_papers/vanmeter/vanmeter/zcav.html 
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Kill Slow/Dead Sectors 



You can make your current hard drive much faster: 
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Kill Slow/Dead Sectors 



♦ Certain programs like MHDD from hddguru.com can 
erase (make bad blocks) from sectors that are slow. 

♦ You can customize the configuration to be 
something like 150ms response time and to erase 
any block that takes more time to read. It is 
destructive so it is best to do this on a drive you are 
trying to reuse/install. 

♦ This will make each sector respond very quickly and 
will get rid of some sectors starting to go bad that 
will cause problems later as the drive ages. 



Kill Slow/Dead Sectors 
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Starting LBA : 
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User break 
Done, 
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Kill Slow/Dead Sectors 




Note: Bad Blocks are ADDED, not cleared! 
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HFS+ Catalog File 



♦ HFS+ Mac's Catalog is where all the files are kept 
track of. It stores the data that represents the 
location of the file, the pointers etc. 

♦ But in addition to that it also stores what is probably 
the dumbest idea in OS File System design I have 
ever heard: 

♦ It stores the location of the X and Y 
window coordinates for the Finder! 



No, Really. 
I am not kidding. 
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EXT3 Journaling vs: HFS+ 



♦ EXT2 tools are used to fix EXT3. EXT3 could be 
mounted in EXT2 with the journal off for repair or 
data recovery. 

♦ EXT3 had so much for thought in it that when they 
added Journaling into the system they made it 
completely compatible with the previous version. 
You just turn off journaling on EXT3 mounting it as 
EXT2 and using the same utilities you do for repair or 
recovery of EXT2. Awesome! 
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EXT3 Journaling vs: HFS+ 



♦ This is so much better than what Apple Did when 
they switched to HFS+. 

♦ The wrapper was designed for two purposes; it 
allowed Macintosh computers without HFS Plus 
support in their ROM to boot HFS Plus volumes and 
it also was designed to help users transition to HFS 
Plus by including a minimal, bootable HFS volume 
with a read-only file called: 

Wherehaveallmyfilesjgone?, explaining to users 
with versions of the Mac OS without HFS Plus, that the 
volume requires a system with HFS Plus support 

http://en.wikipedia.org/wiki/HFS+ 



EXT3 Journaling vs: HFS+ 
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http://www.wap.org/joumal/macos8ia.html 
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Where_Have_All_ 
My_Files_Gone? 

Why can't you see your files? This hard disk is 
formatted with the Mac OS Extended 
format. Your files and information are still on 
the hard disk, but you cannot access them 
with the version of system software you are 
using. How can you access your files? To 
access your files you must mount this hard 
disk on a computer that has Mac OS 8.1 or 
later installed... 

http://www.wap.org/journal/macos81a.html 
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MACE Time 



♦ MFT stores a data and time in it when your file size 
changes causing it to expand clusters. And so when 
talking about NTFS file systems instead of the standard 
MAC Times, we now have MACE Times. 

♦ The "mft entry modified" time of the file size changes 
and the size of the cluster was modified. 

♦ In other words 'Entry Modified' refers to the time when 
the MFT entry itself was modified when either the file 
was create, or shrunk or grew in size! 

Note: TimeStomp.exe Kills this time. 



MACE Time + 
File Name Time 

♦ Only a few applications can read this time. 

♦ print "File creation time: M . $dt->date() . " " . $dt- 
>time() . "\n";$dt = DateTime->print M File 
modification time: M . $dt->date() . " " . $dt->time() . 
M \n M ;$dt= Date Time->from epoch(epoch => 
$Mtimes); print [ f MFT modification time: ' . $dt- 
>date() . M M . $dt->time(J . "\n";$dt = DateTime- 
>from_epoch(epoch => $fat);print "File access time: 
11 . $dt->date() . M " . $dt->time() . M \n M ;print 
"Allocated size of file: M . $asize . "\n";print "Real size 
of file: " . $rsize . "\n";print "Flags: " . 
print_flags($fflags) . "\n"; 

http://buho.kevlarninja.com/code/ntfs-mbr.html 
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HDD Landing Zone: 
Terraforming for Drives 
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The Sticky Problem 



Since while the 
disk is not 
spinning, there is 
no Air Bearing 
for the heads to 
float over the 
platter, then the 
heads "slider" 
will have to touch 
the platter. 




Smooth Operator 




The center of the disk 
was chosen because 
the closer to the 
center of the platters 
the more Electro 
Magnetic 

Interference you will 
have caused by the 
motor itself causing 
problems storing 
data. 
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The Solution! 



The problem was solved by creating the landing 
zone in the shape of a ring and by texturing cuts in 
the oxide layer in the same direction as the slider to 
remove the need for any extra torque and to keep 
the slider from sticking. 
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Disappearing Data! 

USB/SD Memory Sticks stored in a drawer for 10 years 

right next to your undeveloped film, 

ALL YOUR PICTURES & DATE 

will be LOST and your data GONE FOREVER!! 
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Escape from their Cell! 

Solid State Drives have a shelf life of about 8 to 10 
years before the cells dissipate electrons escape 
causing the loss of all your data stored on the device. 
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You can REPAIR your Hard 
Drive with Ginsana Energy! 
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Head Replacement 
using Foil Tool! 
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Build your Head Tools! 
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Insert Tool in 
between heads 




Remove the Head Stack 
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Insert in the New Heads! 
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